You know what pisses me off about this? There’s an easy way to at least mitigate this: an option to only allow people with two factor to chat, disallow people from attaching the same phone number to more than two accounts, disallow you from using Google voice numbers for 2FA
https://twitter.com/msashrocks/status/1426100303108067329
Would you stop every attack? Nope. Would it make the barrier of entry a lot higher than it currently is? Fuck yes it would
Come the fuck on @Twitch #TwitchDoBetter
Come the fuck on @Twitch #TwitchDoBetter
And what really pisses me off is that this has been suggested multiple times on their “UserVoice” site that they only seem to fucking care about when it’s stupid shit like changing the color of /me
414 votes since last year, and yet changing the color of /me was more of a priority with its 8 total vote across 3 different requests.
@Twitch, your PR statement earlier this week rings incredibly hollow #TwitchDoBetter
twitch.uservoice.com/forums/933812-…
@Twitch, your PR statement earlier this week rings incredibly hollow #TwitchDoBetter
twitch.uservoice.com/forums/933812-…
@Twitch I swear, the more I think about how easy this would be, the more angry I get. Their frontend uses GraphQL to POST back to their backend. Updating the allowed payload to add `require2FA`or something similar would be trivial
They already have a check in place to check `requireVerifiedAccount` before allowing chat. Adding `require2FA` to that check as well would be near trivial
This is an assumption, but I'm guessing they're using some sort of relational database. Adding a column for the new setting, defaulted to false, is near trivial.
Still need to the toggle on the settings page. Easy to do, just need to add a new divider and the toggle
Still need to the toggle on the settings page. Easy to do, just need to add a new divider and the toggle
Accounting for code review and testing, a week of work to get this started. Locking the same 2FA account to 2 accounts max is more work and I'm not going to speculate how long that'd take. Lots of variable in how that could've been written
And as for detecting online numbers? There's entire databases who's entire job is to provide that service to companies. Tons of large companies use them, Venmo being one I can think of off the top of my head.
But again, changing the color of /me was more important to you than protecting creators @Twitch
Really feeling that love
#TwitchDoBetter
Really feeling that love
#TwitchDoBetter
• • •
Missing some Tweet in this thread? You can try to
force a refresh
